Skip to main content
Data Protection / GDPR

Balancing test

The balancing test is the three-step assessment required under Art. 6(1)(f) GDPR in which a controller's legitimate interest is weighed against the interests and fundamental rights of the data subject.

The balancing test sits at the heart of the legitimate interests legal basis under Art. 6(1)(f) GDPR. It applies where a processing operation cannot be based on consent, a contract or a legal obligation, yet the controller still pursues a legitimate processing purpose. Unlike other legal bases, lawfulness here is not laid down in the abstract; it must be established and documented case by case through an evaluative comparison of the competing interests at stake.

The assessment runs in three steps. The first step determines whether a legitimate interest of the controller or a third party exists at all; this may be economic, legal, ethical or organisational, such as fraud prevention, network and information security or direct marketing. The second step (necessity) examines whether the specific processing is suitable and necessary to achieve that interest and whether no less intrusive, equally effective means is available. The third step is the actual balancing exercise: the legitimate interests must not be overridden by the interests or the fundamental rights and freedoms of the data subject.

Decisive for the third step are, in particular, the reasonable expectations of the data subject, the nature of the data processed, the processing context and any safeguards such as pseudonymisation, access restrictions or transparency. A stricter standard applies to children and to special categories of personal data. Because of the accountability principle in Art. 5(2) GDPR, the outcome should be recorded in writing in a so-called Legitimate Interests Assessment (LIA), since the data subject has a right to object under Art. 21 GDPR and the supervisory authority must be able to retrace the balancing exercise at any time.

Legal Basis

Art. 6(1)(f) GDPR; Recitals 47-49 GDPR; Art. 21 GDPR (right to object)

Practical Example

An online retailer wants to check customers' IP addresses and ordering behaviour for fraud prevention before offering payment on invoice. Since neither consent is practicable nor a contract has yet been concluded, the data protection coordinator documents an LIA: step 1 affirms the legitimate interest in avoiding payment defaults, step 2 establishes necessity because no less intrusive means is equally effective, and step 3 tips in the retailer's favour because only order data already held is used, no profiles are built and retention periods are defined. The LIA is placed on file and transparently explained in the privacy notice.

FAQ

Whenever a processing operation is to be based on the legitimate interests ground under Art. 6(1)(f) GDPR. It is not required where another legal basis such as consent, a contract or a statutory obligation applies. Public authorities generally cannot rely on legitimate interests for the performance of their tasks.
First, the existence of a legitimate interest; second, the necessity of the processing to achieve it; and third, the actual balancing against the interests, fundamental rights and freedoms of the data subject. The processing is only lawful if all three steps are passed.
Yes. Because of the accountability principle in Art. 5(2) GDPR, the outcome should be recorded in writing in a Legitimate Interests Assessment (LIA). This enables the controller to demonstrate the lawfulness of the processing to the supervisory authority and to data subjects.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Legitimate interest Legal basis Consent Right to object Accountability
Back to Glossary